Auditing in the Cloud

2 days


This course introduces the seemingly new and specific risks of the various types of cloud computing. Through reviewing recent cloud computing failures and breaches, together with a detailed discussion of traditional contract compliance issues and associated risk mitigation strategies, participants will come away with an ability to assess and prioritize risks associated with their organization's planned or existing implementation(s) of cloud computing.

This course also emphasizes established tools and techniques to assess and prioritize these risks. Course exercises will provide attendees the opportunity to prepare an audit program specific to cloud computing for their organizations. Best practices for reporting, including use of visual models to communicate the location of data and responsibility for controls, will be featured.


Auditors and Chief Audit Executives seeking to understand the key risks and opportunities related to cloud computing should plan to attend. IT Auditors and IT Managers are welcome to attend; however, this is a course on the contractual and management issues associated with cloud computing. This is not a technical IT Audit class.


  • Supervisory or managerial experience is recommended.
  • Business and auditing experience, including interviewing, negotiation, and reporting skills are recommended.
  • Attendees should have a minimum of three to five years of experience, and have completed a variety of Operational and/or Financial Audits.

Course Outline

  • Headline Review: Recent Failures and Breaches in Cloud Computing
  • Discuss cloud computing risks at your organization, based on examples of failures or breaches at other organizations.
  • Discuss recent headlines of cloud computing failures and breaches.
  • Consider the operational, financial, legal, and compliance implications of these headlines for your firm.
  • IT Risk Assessment Frameworks
  • Explain IT risk assessment frameworks, focusing on confidentiality, integrity, and availability.
  • Clarify the "new" risks of cloud computing, including security, availability, compliance, co-location (i.e., multi-tenancy), sustainability, and scalability.
  • Compare these "new" risks against other known risks and controls, using existing IT and operational audit frameworks and techniques.
  • Begin to develop a cloud-focused risk assessment at your firm that considers organization-specific risks and compliance requirements.
  • Business Benefits of Cloud Computing (Why the Cloud?)
  • Compare and contrast cloud computing against more traditional IT systems and controls.
  • State the business benefits of cloud computing, including efficiency, scalability, and flexibility.
  • State the prevalence of cloud computing.
  • Identify some of the cloud providers and distinguish between their service offerings.
  • Defining the Buzzwords
  • Establish a common vocabulary for cloud computing.
  • Compare public, private, and hybrid cloud computing.
  • Distinguish between SaaS, IaaS, PaaS, and DaaS forms of cloud computing.
  • Contrast cloud computing and virtualization.
  • Develop a Risk-assessment Questionnaire for Your Enterprise
  • Develop a risk-assessment questionnaire to prioritize organization-specific risks associated with cloud computing.
  • Prepare a cloud-focused risk assessment for your firm that considers organization-specific risks and compliance requirements.
  • Execute a cloud-focused risk assessment for your firm that considers organization-specific risks and compliance requirements.
  • Leverage and build on your team's existing approach to risk assessment.
  • Risk Responses
  • Recommend risk response options — including risk avoidance, risk reduction, risk sharing, and risk acceptance — given specific risks of cloud computing.
  • Discuss classic risk mitigation techniques as they relate to cloud computing.
  • Identify a scenario where each of these risk responses would be appropriate.
  • Contract Compliance Fundamentals
  • Explain contract compliance fundamentals, with a focus on the kinds of terms and conditions that can be used to protect each party.
  • Discuss any company-specific or industry-specific requirements that should influence an agreement with your cloud computing vendor(s).
  • Compare standard "click-through" agreements and compare/contrast with the T's and C's associated with other common service-level agreements.
  • User Controls
  • Inform management regarding the importance of user controls in preparing for security breaches or outages related to the use of cloud computing services.
  • Recommend user controls that would avoid, reduce, share, or even accept the risks associated with cloud computing security breaches and outages.
  • Recent Litigation Cases
  • Apply data points from recent cases and litigation against organization-specific risks related to cloud computing.
  • Discuss recent IT litigation cases and related news events affecting cloud computing providers and their customers.
  • Debate who should approve risk acceptance for cloud computing agreements at your organization.
  • Developing Your Audit Program
  • Develop a Company-specific audit program to assess and mitigate your organization's risks of cloud computing.
  • Develop a company-specific audit program based on topic areas discussed in class.
  • The first portion of the audit program will focus on activities to be performed prior to using any new cloud computing vendors coming into use.
  • The second portion of the audit program will focus on audit activities to be performed for existing cloud computing vendors.

Thinking about Onsite?

If you need training for 3 or more people, you should ask us about onsite training. Putting aside the obvious location benefit, content can be customised to better meet your business objectives and more can be covered than in a public classroom. It's a cost effective option.

Submit an enquiry from any page on this site, and let us know you are interested in the requirements box, or simply mention it when we contact you.

Upcoming Dates

  • GREEN This class is Guaranteed To Run.
  • SPVC - Self-Paced Virtual Class.
  • Click a Date to Enroll.
Course Location Days Cost Date
Somerset Bath2 850 £850 2019-11-07